From: "J. Bruce Fields" <bfields@fieldses.org>
To: Dave Quigley <dpquigl@davequigley.com>
Cc: Steve Dickson <SteveD@redhat.com>,
"David P. Quigley" <selinux@davequigley.com>,
trond.myklebust@netapp.com, sds@tycho.nsa.gov,
linux-nfs@vger.kernel.org, selinux@tycho.nsa.gov,
linux-security-module@vger.kernel.org
Subject: Re: Labeled NFS [v5]
Date: Wed, 14 Nov 2012 08:45:35 -0500 [thread overview]
Message-ID: <20121114134535.GD23604@fieldses.org> (raw)
In-Reply-To: <50A31EF5.1050801@davequigley.com>
On Tue, Nov 13, 2012 at 11:32:53PM -0500, Dave Quigley wrote:
> On 11/13/2012 7:55 AM, Steve Dickson wrote:
> >
> >
> >On 12/11/12 20:39, Dave Quigley wrote:
> >>If you're ok with non Fedora kernel images I can try to put up a tree either tonight or tomorrow with the patches that you just need to build and install. That plus the one patch for nfs-utils should make everything work.
> >I'm good with that....
> >
> >steved.
> >
>
> Ok so if you go to http://www.selinuxproject.org/git you will see a
> repo for lnfs and lnfs-patchset. The instructions at
> http://www.selinuxproject.org/page/Labeled_NFS give you a better
> indication on how to pull the trees. I've attached a patch for NFS
> utils which gives support for security_label/nosecurity_label in
> your /etc/exports file.
Do we need an export option? Is there any reason not to make the
feature available whenever there's support available for it?
--b.
> I've also attached a script called setup
> which should build a test directory called /export with a copy of
> /var/www under it which should be labeled properly. It does all the
> proper SELinux commands to make sure labeling is correct. Once you
> have that setup just mount -t nfs localhost:/ /mnt/lnfs (or wherever
> you want) and you should be good to go. Just ls -Z in /mnt/lnfs/var
> and check to make sure the labels are the same as /export/var. It
> should have the labels showing up in the network transfer. If you
> have any problems just let me know and I can try to help figure them
> out.
>
> Dave
> >From da84919c6957090cd961bb4ce40753820312a845 Mon Sep 17 00:00:00 2001
> From: Dave Quigley <dpquigl@taiga.selinuxproject.org>
> Date: Fri, 18 Sep 2009 08:53:58 -0700
> Subject: [PATCH] Add support to specify which exports will provide Labeled NFS support.
>
> diff --git a/support/include/nfs/export.h b/support/include/nfs/export.h
> index 1547a87..b8e2fb0 100644
> --- a/support/include/nfs/export.h
> +++ b/support/include/nfs/export.h
> @@ -17,7 +17,8 @@
> #define NFSEXP_ALLSQUASH 0x0008
> #define NFSEXP_ASYNC 0x0010
> #define NFSEXP_GATHERED_WRITES 0x0020
> -/* 40, 80, 100 unused */
> +#define NFSEXP_SECURITY_LABEL 0x0040 /* Support MAC attribute */
> +/* 80, 100 unused */
> #define NFSEXP_NOHIDE 0x0200
> #define NFSEXP_NOSUBTREECHECK 0x0400
> #define NFSEXP_NOAUTHNLM 0x0800
> diff --git a/support/nfs/exports.c b/support/nfs/exports.c
> index a93941c..8965c8d 100644
> --- a/support/nfs/exports.c
> +++ b/support/nfs/exports.c
> @@ -239,6 +239,8 @@ putexportent(struct exportent *ep)
> fprintf(fp, "%ssync,", (ep->e_flags & NFSEXP_ASYNC)? "a" : "");
> fprintf(fp, "%swdelay,", (ep->e_flags & NFSEXP_GATHERED_WRITES)?
> "" : "no_");
> + fprintf(fp, "%ssecurity_label,", (ep->e_flags & NFSEXP_SECURITY_LABEL)?
> + "" : "no");
> fprintf(fp, "%shide,", (ep->e_flags & NFSEXP_NOHIDE)?
> "no" : "");
> fprintf(fp, "%scrossmnt,", (ep->e_flags & NFSEXP_CROSSMOUNT)?
> @@ -531,6 +533,10 @@ parseopts(char *cp, struct exportent *ep, int warn, int *had_subtree_opt_ptr)
> setflags(NFSEXP_GATHERED_WRITES, active, ep);
> else if (!strcmp(opt, "no_wdelay"))
> clearflags(NFSEXP_GATHERED_WRITES, active, ep);
> + else if (strcmp(opt, "security_label") == 0)
> + ep->e_flags |= NFSEXP_SECURITY_LABEL;
> + else if (strcmp(opt, "nosecurity_label") == 0)
> + ep->e_flags &= ~NFSEXP_SECURITY_LABEL;
> else if (strcmp(opt, "root_squash") == 0)
> setflags(NFSEXP_ROOTSQUASH, active, ep);
> else if (!strcmp(opt, "no_root_squash"))
> diff --git a/utils/exportfs/exportfs.c b/utils/exportfs/exportfs.c
> index b78957f..6434825 100644
> --- a/utils/exportfs/exportfs.c
> +++ b/utils/exportfs/exportfs.c
> @@ -531,6 +531,8 @@ dump(int verbose)
> c = dumpopt(c, "async");
> if (ep->e_flags & NFSEXP_GATHERED_WRITES)
> c = dumpopt(c, "wdelay");
> + if (ep->e_flags & NFSEXP_SECURITY_LABEL)
> + c = dumpopt(c, "security_label");
> if (ep->e_flags & NFSEXP_NOHIDE)
> c = dumpopt(c, "nohide");
> if (ep->e_flags & NFSEXP_CROSSMOUNT)
> #!/bin/bash
> mkdir /export
> semanage fcontext -a -t mnt_t /export
> mkdir /export/var
> cp -R /var/www /export/var
> semanage fcontext -ae /var /export/var
> restorecon -R /export
>
> echo "/export *(rw,fsid=0,sec=unix,security_label,insecure,no_subtree_check,sync, no_root_squash)" >> /etc/exports
> systemctl restart nfs-server.service
next prev parent reply other threads:[~2012-11-14 13:45 UTC|newest]
Thread overview: 154+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-11-12 6:15 Labeled NFS [v5] David Quigley
2012-11-12 6:15 ` David Quigley
2012-11-12 6:15 ` [PATCH 01/13] Security: Add hook to calculate context based on a negative dentry David Quigley
2012-11-12 6:15 ` David Quigley
2012-11-12 12:13 ` J. Bruce Fields
2012-11-12 14:52 ` Dave Quigley
2012-11-12 14:52 ` Dave Quigley
2012-11-12 6:15 ` [PATCH 02/13] Security: Add Hook to test if the particular xattr is part of a MAC model David Quigley
2012-11-12 6:15 ` David Quigley
2012-11-12 12:15 ` J. Bruce Fields
2012-11-12 14:56 ` Dave Quigley
2012-11-12 14:56 ` Dave Quigley
2012-11-12 16:36 ` J. Bruce Fields
2012-11-12 19:36 ` David P. Quigley
2012-11-12 19:36 ` David P. Quigley
2012-11-12 21:43 ` J. Bruce Fields
2012-11-13 0:12 ` Dave Quigley
2012-11-13 0:12 ` Dave Quigley
2012-11-12 6:15 ` [PATCH 03/13] LSM: Add flags field to security_sb_set_mnt_opts for in kernel mount data David Quigley
2012-11-12 6:15 ` David Quigley
2012-11-12 6:15 ` [PATCH 04/13] SELinux: Add new labeling type native labels David Quigley
2012-11-12 6:15 ` David Quigley
2012-11-12 6:15 ` [PATCH 05/13] KConfig: Add KConfig entries for Labeled NFS David Quigley
2012-11-12 6:15 ` David Quigley
2012-11-12 14:45 ` J. Bruce Fields
2012-11-12 14:57 ` Dave Quigley
2012-11-12 14:57 ` Dave Quigley
2012-11-12 6:15 ` [PATCH 06/13] NFSv4: Add label recommended attribute and NFSv4 flags David Quigley
2012-11-12 6:15 ` David Quigley
2012-11-12 6:15 ` [PATCH 07/13] NFSv4: Introduce new label structure David Quigley
2012-11-12 6:15 ` David Quigley
2012-11-12 15:13 ` J. Bruce Fields
2012-11-12 15:32 ` David P. Quigley
2012-11-12 15:32 ` David P. Quigley
2012-11-12 16:05 ` J. Bruce Fields
2012-11-12 16:53 ` David P. Quigley
2012-11-12 16:53 ` David P. Quigley
2012-11-12 17:50 ` J. Bruce Fields
2012-11-12 6:15 ` [PATCH 08/13] NFSv4: Extend fattr bitmaps to support all 3 words David Quigley
2012-11-12 6:15 ` David Quigley
2012-11-12 6:15 ` [PATCH 09/13] NFS:Add labels to client function prototypes David Quigley
2012-11-12 6:15 ` David Quigley
2012-11-12 6:15 ` [PATCH 10/13] NFS: Add label lifecycle management David Quigley
2012-11-12 6:15 ` David Quigley
2012-11-12 15:33 ` J. Bruce Fields
2012-11-12 15:36 ` David P. Quigley
2012-11-12 15:36 ` David P. Quigley
2012-11-12 6:15 ` [PATCH 11/13] NFS: Client implementation of Labeled-NFS David Quigley
2012-11-12 6:15 ` David Quigley
2012-11-12 6:15 ` [PATCH 12/13] NFS: Extend NFS xattr handlers to accept the security namespace David Quigley
2012-11-12 6:15 ` David Quigley
2012-11-12 6:15 ` [PATCH 13/13] NFSD: Server implementation of MAC Labeling David Quigley
2012-11-12 6:15 ` David Quigley
2012-11-12 16:31 ` J. Bruce Fields
2012-11-12 15:23 ` Labeled NFS [v5] J. Bruce Fields
2012-11-12 15:34 ` David P. Quigley
2012-11-12 15:34 ` David P. Quigley
2012-11-12 16:09 ` J. Bruce Fields
2012-11-12 20:56 ` Steve Dickson
2012-11-13 1:39 ` Dave Quigley
2012-11-13 1:39 ` Dave Quigley
2012-11-13 12:55 ` Steve Dickson
2012-11-14 4:32 ` Dave Quigley
2012-11-14 4:32 ` Dave Quigley
2012-11-14 13:45 ` J. Bruce Fields [this message]
2012-11-14 13:50 ` David Quigley
2012-11-14 13:50 ` David Quigley
2012-11-14 13:59 ` J. Bruce Fields
2012-11-14 14:01 ` David Quigley
2012-11-14 14:01 ` David Quigley
2012-11-14 14:04 ` David Quigley
2012-11-14 14:04 ` David Quigley
2012-11-14 14:24 ` J. Bruce Fields
2012-11-14 14:30 ` David Quigley
2012-11-14 14:30 ` David Quigley
2012-11-15 16:00 ` Casey Schaufler
2012-11-15 16:00 ` Casey Schaufler
2012-11-15 20:28 ` David Quigley
2012-11-15 20:28 ` David Quigley
2012-11-16 3:34 ` Casey Schaufler
2012-11-16 3:34 ` Casey Schaufler
2012-11-16 3:43 ` David Quigley
2012-11-16 3:43 ` David Quigley
2012-11-16 4:58 ` Dave Quigley
2012-11-16 4:58 ` Dave Quigley
2012-11-16 4:59 ` Dave Quigley
2012-11-16 4:59 ` Dave Quigley
2012-11-14 13:56 ` David Quigley
2012-11-14 13:56 ` David Quigley
2012-11-12 16:33 ` J. Bruce Fields
2012-11-12 20:44 ` Dave Quigley
2012-11-12 20:44 ` Dave Quigley
2012-11-12 22:23 ` Casey Schaufler
2012-11-12 22:23 ` Casey Schaufler
2012-11-13 3:16 ` Dave Quigley
2012-11-13 3:16 ` Dave Quigley
2012-11-20 21:09 ` Casey Schaufler
2012-11-20 21:09 ` Casey Schaufler
2012-11-21 0:04 ` Dave Quigley
2012-11-21 0:04 ` Dave Quigley
2012-11-21 0:29 ` Dave Quigley
2012-11-21 0:29 ` Dave Quigley
2012-11-21 0:32 ` Casey Schaufler
2012-11-21 0:32 ` Casey Schaufler
2012-11-21 0:37 ` Dave Quigley
2012-11-21 0:37 ` Dave Quigley
2012-11-21 2:52 ` Casey Schaufler
2012-11-21 2:52 ` Casey Schaufler
2012-11-21 3:28 ` Dave Quigley
2012-11-21 3:28 ` Dave Quigley
2012-11-28 18:57 ` Casey Schaufler
2012-11-29 1:14 ` Dave Quigley
2012-11-29 1:14 ` Dave Quigley
2012-11-29 2:08 ` Casey Schaufler
2012-11-29 22:28 ` Casey Schaufler
2012-11-29 22:28 ` Casey Schaufler
2012-11-29 22:49 ` David Quigley
2012-11-29 22:49 ` David Quigley
2012-11-30 0:02 ` David Quigley
2012-11-30 0:02 ` David Quigley
2012-11-30 0:07 ` David Quigley
2012-11-30 0:07 ` David Quigley
2012-11-30 0:34 ` Casey Schaufler
2012-11-30 0:34 ` Casey Schaufler
2012-11-30 0:46 ` David Quigley
2012-11-30 0:46 ` David Quigley
2012-11-30 1:50 ` Casey Schaufler
2012-11-30 1:50 ` Casey Schaufler
2012-11-30 2:02 ` David Quigley
2012-11-30 2:02 ` David Quigley
2012-11-30 12:14 ` J. Bruce Fields
2012-11-30 12:57 ` David Quigley
2012-11-30 12:57 ` David Quigley
2012-11-30 13:17 ` David Quigley
2012-11-30 13:17 ` David Quigley
2012-11-30 13:28 ` Stephen Smalley
2012-11-30 13:28 ` Stephen Smalley
2012-11-30 13:35 ` David Quigley
2012-11-30 13:35 ` David Quigley
2012-11-30 13:50 ` Stephen Smalley
2012-11-30 13:50 ` Stephen Smalley
2012-11-30 14:02 ` David Quigley
2012-11-30 14:02 ` David Quigley
2012-11-30 16:21 ` Casey Schaufler
2012-11-30 16:21 ` Casey Schaufler
2012-11-30 16:28 ` David Quigley
2012-11-30 16:28 ` David Quigley
2012-12-03 18:27 ` Casey Schaufler
2012-12-03 18:27 ` Casey Schaufler
2012-11-30 16:55 ` J. Bruce Fields
2012-11-30 16:59 ` David Quigley
2012-11-30 16:59 ` David Quigley
2012-11-30 13:20 ` David Quigley
2012-11-30 13:20 ` David Quigley
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20121114134535.GD23604@fieldses.org \
--to=bfields@fieldses.org \
--cc=SteveD@redhat.com \
--cc=dpquigl@davequigley.com \
--cc=linux-nfs@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=sds@tycho.nsa.gov \
--cc=selinux@davequigley.com \
--cc=selinux@tycho.nsa.gov \
--cc=trond.myklebust@netapp.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.